Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

%ASA-6-106015: Deny TCP (no connection) from 10.115.0.176/3001 to 172.29.150.11/54659 flags SYN ACK on interface inside

Gettting this log event.  This device worked fine using a point to point T1.  Ever since we moved to a IPSEC tunnel, this device cannot communicate.  Any help is greatly appreciated.

5 REPLIES
New Member

%ASA-6-106015: Deny TCP (no connection) from 10.115.0.176/3001 t

Aug 09 2012 20:22:34: %ASA-7-106100: access-list INSIDE-OUTBOUND permitted tcp inside/10.115.0.176(3001) -> outside/172.29.150.11(49814) hit-cnt 1 first hit [0xa58ce2e1, 0x0]

Aug 09 2012 20:22:34: %ASA-7-609001: Built local-host inside:10.115.0.176

Aug 09 2012 20:22:34: %ASA-7-609001: Built local-host outside:172.29.150.11

Aug 09 2012 20:22:34: %ASA-6-106015: Deny TCP (no connection) from 10.115.0.176/3001 to 172.29.150.11/49814 flags SYN ACK  on interface inside

Aug 09 2012 20:22:34: %ASA-7-609002: Teardown local-host inside:10.115.0.176 duration 0:00:00

Aug 09 2012 20:22:34: %ASA-7-609002: Teardown local-host outside:172.29.150.11 duration 0:00:00

Aug 09 2012 20:22:34: %ASA-7-106100: access-list INSIDE-OUTBOUND permitted tcp inside/10.115.0.175(3001) -> outside/172.29.150.11(49813) hit-cnt 1 first hit [0xa58ce2e1, 0x0]

Aug 09 2012 20:22:34: %ASA-7-609001: Built local-host inside:10.115.0.175

Aug 09 2012 20:22:34: %ASA-7-609001: Built local-host outside:172.29.150.11

Aug 09 2012 20:22:34: %ASA-6-106015: Deny TCP (no connection) from 10.115.0.175/3001 to 172.29.150.11/49813 flags SYN ACK  on interface inside

%ASA-6-106015: Deny TCP (no connection) from 10.115.0.176/3001 t

Hello Matthew,

Please configure the following:

access-list test permit tcp 10.115.0.0 255.255.255.0 172.29.150.0 255.255.255.0

class-map test

match access-list test

policy-map global_policy

class test

set connection advanced-options tcp-state-bypass

Then give it a try!

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

%ASA-6-106015: Deny TCP (no connection) from 10.115.0.176/3001 t

Thanks for that.

What about this one?

Aug 13 2012 20:52:49: %ASA-6-110003: Routing failed to locate next hop for udp from NP Identity Ifc:10.115.0.196/65535 to inside:10.5.0.10/31488.

%ASA-6-106015: Deny TCP (no connection) from 10.115.0.176/3001 t

Hello Matthew,

That is a routing problem,

Does the ASA know how to get to those subnets?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

%ASA-6-106015: Deny TCP (no connection) from 10.115.0.176/3001 t

Hello Julio,

We only have

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

for those networks on the otherside.  Should we put those routes in specifically in even though we are also using a GRE tunnel for eigrp?

1780
Views
5
Helpful
5
Replies
CreatePlease to create content